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Abstract 



Motivated by distributed implementations of game-theoretical algo- 
" rithms, we study symmetric process systems and the problem of attaining 

common knowledge between processes. We formalize our setting by defin- 
ing a notion of peer-to-peer network^and appropriate symmetry concepts 

Qin the context of Communicating Sequential Processes (CSP) [TT], due to 
, the common knowledge creating effects of its synchronous communication 

t/5 primitives. We then prove that CSP with input and output guards makes 

I ^ I common knowledge in symmetric peer-to-peer networks possible, but not 

the restricted version which disallows output statements in guards and is 
commonly implemented. Our results extend [3]. 

> 

OO 1 Introduction 

(N 
(N 

O 

T-H Our original motivation comes from the distributed implementation of game- 

te theoretical algorithms (see e.g. [9 for a discussion of the interface between game 

theory and distributed computing) . Two important issues in the domain of game 
^ theory have always been knowledge, especially common knowledge, and sym- 

metry between the players, also called anonymity. We will describe these issues 
and the connections to distributed computing in the following two paragraphs, 
before we motivate our choice of process calculus and the overall goal of the 
paper. 



1.1 Motivation 



Common Knowledge and Synchronization. The concept of common know- 
ledge has been a topic of much research in distributed computing as well as in 
game theory. When do processes or players "know" some fact, mutually know 
that they know it, mutually know that they mutually know that they know 

^Please note that wo are not dealing with fashionable incarnations such as file-sharing 
networks, but merely use this name for a mathematical notion of a network consisting of 
directly connected peers "treated on an equal footing" , i.e. not having a client-server structure 
or otherwise pre-determined roles. 
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it, and so on ad infinitum? And how crucial is the difi'erence between arbi- 
trarily, but finitely deep mutual knowledge and the limit case of real common 
knowledge? 

In the area of distributed computing, the classical example showing that 
the difference is indeed essential is the scenario of Coordinated Attack, first 
considered by [H] . The game-theoretical incarnation of the underlying issue is 
the Electronic Mail Game [251 [T7] . 

The basic insight of these examples is that two agents that communicate 
through an unreliable channel can never achieve common knowledge, and that 
their behavior under finite mutual knowledge can be strikingly different. 

These issues are analyzed in detail in [5], in particular in a separately pub- 
lished part |10| . including a variant where communication is reliable, but mes- 
sage delivery takes an unknown amount of time. Even in that variant, it is 
shown that only finite mutual knowledge can be attained. 

However, in a synchronous communication act, sending and receiving of 
a message is, by definition, performed simultaneously. In that way, the agents 
obtain not only the pure factual information content of a message, but the sender 
also knows that the receiver has received the message, the receiver knows that 
the sender knows that, and so on ad infinitum. The communicated information 
immediately becomes common knowledge. 

Attaining common knowledge and achieving synchronization between pro- 
cesses are thus closely related. Furthermore, synchronization is in itself an 
important subject, see e.g. fM\ . 

Symmetry and Peer-to-peer Networks. In game theory, it is traditionally 

a fundamental assumption that players are anonymous and treated on an equal 
footing, in the sense that their names do not play a role and no single player is 
a priori distinguished from the others [151 EH] ■ 

In distributed computing, too, this kind of symmetry between processes is 
often a desideratum. Reasons to avoid a predetermined assignment of roles to 
processes or a centralized coordinator include fault tolerance, modularity, and 
load balancing [Tj. 

We will consider symmetry on two levels. Firstly, the communication net- 
work used by the processes should be symmetric to some extent in order not 
to discriminate single processes a priori on a topological level; we will formal- 
ize this requirement by defining peer-to-peer networks. Secondly, processes in 
symmetric positions of the network should have equal possibilities of behav- 
ior; this we will formalize in a semantic symmetry requirement on the possible 
computations. 

Communicating Sequential Processes (CSP). Since we are interested in 
synchronization and common knowledge, a process calculus which supports syn- 
chronous communication through primitive statements clearly has some appeal. 
We will focus on one of the prime examples of such calculi, namely CSP, in- 
troduced in [TT] and revised in [T^ E5] . It allows synchronous communication 
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by means of deterministic statements on the one hand and non-deterministic 
alternatives on the other hand, where the communication statements occur in 
guards. 

Furthermore, it has been implemented in various programming languages, 
among the best-known of which is Occam [T3] . We thus have at our disposal a 
theoretical framework and programming tools which in principle could give us 
synchronization and common knowledge "for free" . 

However, symmetric situations are a reliable source of impossibility results [6]. 
In particular, the restricted dialect CSPin which was, for implementation is- 
sues [1], chosen to be the theoretical foundation of Occam is provably [3] less 
expressive than the general form, called CSPi/g. CSPin has been used through- 
out the history of Occam, up to and including its latest variant Occam- tt [27] , 
This generally tends to be the case for implementations of CSP, one notable 
exception being a very recent extension |28] of JCSpj^to CSPi/o- 

Some of the resulting restrictions of CSPin can in practice be overcome by 
using helper processes such as buffers |T3]. Our goal therefore is to formalize 
the concepts mentioned above, extend the notion of peer-to-peer networks by 
allowing helper processes, and examine whether synchronization is feasible in 
either of these two dialects of CSP. We will come to the result that, while the 
problem can (straightforwardly) be solved in CSPi/o, it is impossible to do so 
in CSPin- Our setting thus provides an argument in favor of the former's rare 
and admittedly more complicated implementations, such as JCSP. 

1.2 Related Work 

This paper builds upon [5], where a semantic characterization of symmetry 
for CSP is given and fundamental possibility and impossibility results for the 
problem of electing a leader in networks of symmetric processes are proved for 
various dialects of CSP. More recently, this has inspired a similar work on the 
more expressive 7r-calculus [20 , but the possibility of adding helper processes is 
explicitly excluded. 

There has been research on how to circumvent problems resulting from the 
restrictions of CSPin. However, solutions are typically concerned only with the 
factual content of messages and do not preserve synchronicity and the common 
knowledge creating effect of communication, for example by introducing buffer 
processes [TJ- 

The same focus on factual information holds for general research on synchro- 
nizing processes with asynchronous communication. For example, in |24l one 
goal is to ensure that a writing process knows that no other process is currently 
writing; whether this is common knowledge, is not an issue. 

The problem of Coordinated Attack has also been studied for models in 
which processes run synchronously [S]; however, the interesting property of CSP 
is that processes run asynchronously, which is more realistic in physically dis- 
tributed systems, and synchronize only at communication statements. 

Java^^ implementation and extension of CSP. 
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Since we focus on the communication mechanisms, the results will likely 
carry over to other formalisms with synchronous communication facilities com- 
parable to those of CSP. 



1.3 Overview of the Paper 

In [Section 2] we give a short description of CSP and the dialects that we are 
interested in, define some basic concepts from graph theory, and recall the re- 
quired notions and results for symmetric electoral systems from [3]. 

In Section 3 we set the stage by first formally defining the problem of pairwise 
synchronization that we will examine. Subsequently, we give a formalization of 
peer-to-peer networks which ensures a certain kind of symmetry on the topo- 
logical level, and describe in what ways we want to allow them to be extended 
by helper processes. Finally, we adapt a concept from [3j to capture symmetry 
on the semantic level. 



Section 4| contains two positive results and the main negative result saying 



that pairwise synchronization of peer-to-peer networks of symmetric processes is 
not obtainable in CSPin, even if we allow extensions through buffers or similar 
helper processes. 



Section 5 offers a concluding discussion. 



2 Preliminaries 

We briefly review the required concepts and results from the CSP calculus in 



Section 2.1 from graph theory in Section 2.2 and from [3] in Section 2.3 For 



more details see [IIJ [22 [3] . 

2.1 CSP 

A CSP process consists of a sequential program which can use, besides the usual 
local statements (e.g. assignments or expression evaluations involving its local 
variables), two communication statements: 

• P ! message to send (output) the given message to process P; 

• PI variable to receive (input) a message from process P and store it in 
the given (local) variable. 

Communication is synchronous, i.e., send and receive instructions block until 
their counterpart is available, at which point the message is transferred and 
both participating processes continue execution. Note that the communication 
partner P is statically defined in the program code. 



There are two control structures (see Figure 1 ) . Each guard is a Boolean 
expression over local variables (which, if omitted, is taken to be true), optionally 
followed by a communication statement. A guard is open if its Boolean expres- 
sion evaluates to true and its communication statement, if any, can currently be 
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performed. A guard is closed if its Boolean expression evaluates to false. Note 
that a guard can thus be neither open nor closed. 



[ guardi 
□ guard2 



commandi 
command2 



*[ guardi commandi 
□ guard2 — > command2 



□ guardk commandk ] 



□ guardk ^ commandk ] 



(a) Non-deterministic selection 



(b) Non-deterministic repetition 



Figure 1: Control structures in CSP. 



The selection statement fails and execution is aborted if all guards are closed. 
Otherwise execution is suspended until there is at least one open guard. Then 
one of the open guards is selected non-deterministically, the required communi- 
cation (if any) performed, and the associated command executed. 

The repetition statement keeps waiting for, selecting, and executing open 
guards and their associated commands until all guards are closed, and then 
exits normally; i.e., program execution continues at the next statement. 

We will sometimes use the following abbreviation to denote multiple branches 
of a control structure (for some finite set X): 

^xex guardx — > command^ 

Various dialects of CSP can be distinguished according to what kind of com- 
munication statements are allowed to appear in guards. Specifically, in C'SPin 
only input statements are allowed, and in CSPi/o both input and output state- 
ments are allowed (within the same control structure). For technical reasons, 
CSPin has been suggested from the beginning and is indeed commonly used 
for implementations, as mentioned in [Section 

Definition 2.1. A communication graph (or network) is a directed graph with- 
out self-loops. A process system (or simply system) V with communication 
graph G = ( i?) is a set of component processes {Pv}vev such that for all 
w e V, if the program run by P„ (resp. P^,) contains an output command to 
Pni (resp. input command from Py) then {v,w) € E. In that case we say that 
G admits V. We identify vertices v and associated processes P„ and use them 
interchangeably. 

Example 2.2. [Figure 2] shows a simple network G with the vertex names writ- 
ten inside the vertices, and a C'SPi/o program run by two processes which make 
up a system V := {Po,Pi}. Obviously, G admits V. The intended behavior 
is that the processes send each other, in non-deterministic order, a message 
containing their respective process name. Since communication is synchronous, 
it is guaranteed that both processes execute each communication statement 
synchronously at the time when the message is transmitted. In a larger con- 
text, executing this code fragment would have the effect that the participating 
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processes synchronize, i.e., wait for each other and jointly perform the commu- 
nication. In terms of knowledge, this fact as well as the transmitted message 
(which can of course be more interesting than just the process names) become 
common knowledge between the processes. 



(o> <D 

(a) Network G 



reed 
sent 



false 
false 



f[ ^reed A P. 
□ ^sent A Pi+i 

(b) Program of process P. 



j+1 ?a; 
\i - 



> reed 
sent : 



true 
true 



Figure 2: Network and program run by Pq ^^^id Pi in Example 2.2 Addition of 
process names here and in all further example programs is modulo 2. 



Definition 2.3. A state of a system V is the collection of all component pro- 
cesses' (local) variables together with their current execution positions. A com- 
putation step is a transition from one state to another, involving either one 
component process executing a local statement, or two component processes 
jointly executing a pair of matching (send and receive) communication state- 
ments. The valid computation steps are determined by the state of the system. 

A computation is a maximal sequence of valid computation steps, i.e. a 
sequence which is not a prefix of any other sequence of valid computation steps. 
A computation 

• is properly terminated if all component processes have completed their last 
instruction, 

• diverges if it is infinite, and 

• is in deadlock if it is finite but not properly terminated. 

Example 2.4. [Figure 3] shows a computation of the system from [Figure 2] 
It is finite and both processes reach the end of their respective program, so it 
is properly terminated. Note that the exact order in which, for example, the 
processes get to initialize their local variables is non-deterministic, so there are 
other computations with these steps exchanged. Only certain restrictions to the 
order apply, e.g. that the steps within one process are ordered corresponding 
to its program, or that both processes must have evaluated the Boolean guards 
before they can participate in the subsequent communication. 



2.2 Graph Theory 

We state some fundamental notions concerning directed finite graphs, from here 
on simply referred to as graphs. 
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Po 

Pi 
Pi 

Po 

Pi 

Po 

,P1 

Po 
Po 

Pi 
Pi 
,P1 
Pi 

Po 

Po 

Pi 



assign false to reed 

assign false to reed 

assign false to sent 

assign false to sent 

evaluate Boolean guards 

evaluate Boolean guards 

send from Pq to Pi 's variable x 

assign true to sent 

evaluate Boolean guards 

assign true to reed 

evaluate Boolean guards 

send 1 from Pi to Pq's variable x 

assign true to sent 

assign true to reed 

evaluate Boolean guards and exit repetition 
evaluate Boolean guards and exit repetition 



Figure 3: A properly terminating computation of the system from Example 2.2 



Definition 2.5. Two vertices a,b G F of a graph G = {V,E) are strongly 
connected if there are paths from a to & and from 6 to a; G is strongly connected 
if all pairs of vertices are. 

Two vertices a,b € V are directly connected if (a, b) G E or (&, a) E; G 
is directly connected if all pairs of vertices are. 

Definition 2.6. An automorphism of a graph G = {V , E) is a, permutation a 
of V such that for all w € V, 

{v,w) e E implies {cr{v),a{w)) £ E . 

The automorphism group S g of a graph G is the set of all automorphisms of G. 
The least p > with cr^ = id is called the period of a, where by id we denote 
the identity function defined on the domain of whatever function it is compared 
to. 

The orbit of v E V under cr G Y.q is 0,„ :— {(tP{v) \ p > 0}. An automor- 
phism a is well-balanced if the orbits of all vertices have the same cardinality, 
or alternatively, if for all p > 0, 

aP{v) — V for some v G V implies cr^ = id . 

We will usually consider the (possibly empty) set \ {id} of non-trivial well- 
balanced automorphisms of a graph G, that is those with period greater than 1. 

A subset W C V is called invariant under cr S if ct( W) — W, i.e. if W 
is an orbit under cr; it is called invariant under Sc if it is invariant under all 
a g Eg- 



Example 2.7. Figure 4 shows two graphs G and H and automorphisms cr €E Eg 
with period 3 and r G E/f with period 2. Both are well-balanced since, e.g., 
01 = ^ {1,3} and OJ" = 01 = {2,4} all have the same cardinality. We 
have E/f — {id,T}, so {1,3} and {2,4} are invariant under E/^. 
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(a) Graph G, a e'£c 



(b) Graph H,t (^Y.h 



Figure 4: Two graphs with non-trivial wcU-balanccd automorphisms, indicated 
by gray, bent arrows. 



2.3 Symmetric Electoral Systems 

We take over the semantic definition of symmetry from ^ . As discussed there, 
syntactic notions of symmetry are difficult to formalize properly; requiring that 
"all processes run the same program" does not do the job. We will skip the 
formal details since we are not going to use them. The interested reader is 
referred to [3J. 

Definition 2.8 (adapted from [3| Definition 2.2.2]). A system V with commu- 
nication graph G = {V ,E) is symmetric if for each automorphism cr G and 
each computation C of V, there is a computation C of V in which, for each 
V € V , process Pct(u) performs the same steps as in C, modulo changing 
via cr the process names occurring in the computation (e.g. as communication 
partners) . 

The intuitive interpretation of this symmetry notion is as follows. Any two 
processes which are not already distinguished by the communication graph G 
itself, i.e. which are related by some automorphism, must have equal possibilities 
of behavior. That is, whatever behavior one process exhibits in some particular 
possible execution of the system (i.e., in some computation), the other process 
must exhibit in some other possible execution of the system, localized to its 
position in the graph by appropriate process renaming. Taken back to the 
syntactic level, this can be achieved by running the same program in both 
processes, which must not make use of any externally given distinctive features 
like, for example, an ordering of the process names. 



Example 2.9. The system from Figure 2 is symmetric. It is easy to see that 



for example, if we swap all Os and Is in the computation shown in [Figure 3| we 
still have a computation of V. Note that programs are allowed to access the 
process names, and indeed they do; however, they do not, for example, use their 
natural order to determine which process sends first. 

Example 2.10. On the other hand, consider the system Q — {Qoj Qi] running 



the program in Figure 5 There is obviously a computation where Qo sends 
its process name to Qi, since the two vertices of the communication graph 
are related by an automorphism, symmetry would require that there also be 
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a computation where Qi sends its process name 1 to (Jo- However, such a 
computation does not exist due to the use of the process name for determining 
the communication role, so the system is not symmetric. 



[ i = ^ Q,+i ! i 
□ z = 1 ^ ft+i ? X ] 



Figure 5: Asymmetric program run by Qo and Qi in Example 2.10 



We now recall a classical problem for networks of processes, pointed out 

by m- 

Definition 2.11 (from ^3, Definition 1.2.1]). A system V is an electoral system 
if 

(i) all computations of V are properly terminating and 

(ii) each process of V has a local variable leader, and at the time of termina- 
tion all these variables contain the same value, namely the name of some 
process P gV. 

We now restate the impossibility result which our paper builds on, combining 
a graph-theoretical characterization with the symmetry notion and electoral 
systems. 

Theorem 2.12 (from [IT, Theorem 3.3.2]). Suppose a network G admits some 
well-balanced automorphism a different from id. Then G admits no symmetric 
electoral system in CSPtn- 



3 Setting the Stage 

3.1 Pairwise Synchronization 

Intuitively, if we look at synchronization as part of a larger system, a process is 
able to synchronize with another process if it can execute an algorithm such that 
a direct communication (of any message) between the two processes takes place. 
This may be the starting point of some communication protocol to exchange 
more information, or simply be taken as an event creating common knowledge 
about the processes' current progress of execution. 

Communication in CSP always involves exactly two processes and facilities 
for synchronous broadcast do not exist, thus synchronization is inherently pair- 
wise only. This special case is still interesting and has been subject to research, 
see e.g. pi] . 

Focusing on the synchronization algorithm, we want to guarantee that it 
allows all pairs of processes to synchronize. To this end, we require existence 
of a system where in all computations, all pairs of processes synchronize. Most 
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probably, in a real system not all pairs of processes need to synchronize in all 
executions. However, if one has an algorithm which in principle allows that, then 
one could certainly design a system where they actually do; and, vice versa, if 
one has a system which is guaranteed to synchronize all pairs of processes, then 
one can obviously use its algorithms to synchronize any given pair. Therefore 
we use the following formal notion. 

Definition 3.1. A system V of processes (pairwise) synchronizes Q if all 
computations of V are finite and properly terminating and contain, for each 
pair Pa, Pb S Qi at least one direct communication from Pa to Pb or from Pb 

to Pa. 



Example 3.2. The system from Figure 2 synchronizes {Pq, Pi} 



Note that the program considered so far is not a valid CSPin program, 
since there an output statement appears within a guard. If we want to restrict 
ourselves to CSPin (for example, to implement the program in Occam), we have 
to get rid of that statement. Attempts to simply move it out of the guard fail 
since the symmetric situation inevitably leads to a system which may deadlock. 

To see this, consider the system V' = {Pq,P(} with the program shown 
in [Figure 6] There is no guarantee that not both processes enter the sec- 
ond clause of the repetition at the same time and then block forever at the 
output statement, waiting for each other to become ready for input. A stan- 
dard workaround jH] for such cases is to introduce buffer processes mediat- 
ing between the main processes, in our case resulting in the extended system 



TZ = {Rq, R'^, Ri, R'i\ shown in Figure 7 



reed :— false 
sent := false 
*[ -^recd A -Pj'+i ? a; — > reed := true 
□ ^sent —> P'i^i ! i', sent :— true ] 



Figure 6: Program of process P'^ potentially causing deadlock. 



While the actual data transmitted between the main processes remains the 
same, this system obviously cannot synchronize {Rq, Ri}, since there is not even 
a direct link in the communication network. This removes the synchronizing and 
common knowledge creating effects of communication. Even though a buffer 
might notify its main process when its message is delivered, then notify the 
communication partner about the notification, and so on, synchronicity is not 
restored and mutual knowledge only achieved to a finite (if arbitrarily high) 
level, as discussed in [Section 

The obvious question now is: Is it possible to change the program or use 
buffer or other helper processes in more complicated and smarter ways to nego- 
tiate between the main processes and aid them in establishing direct communi- 
cations? 
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reed := false 
sent := false 
*[ -^reed A R[j^i 7 x reed := true 
□ -^sent R[ \ i; sent := true ] 

(a) Program of main process Ri 




(c) Underlying communication network 

Figure 7: Extended system with main processes Rq and i?i and buffer processes 
R'q and R[ together with the underlying communication network. 



R^^y 
R^+i ! y 

(b) Program of buffer process R'^ 



To attack this question, in the following Section 3.2 we will formalize the kind 
of communication networks we are interested in and define how they may be 
extended in order to allow for helper processes without affecting the symmetry 
inherent in the original network. 

3.2 Peer-to-peer networks 

The idea of peer-to-peer networks is to have nodes which can communicate 
with each other directly and on an equal footing, i.e. there is no predetermined 
client/server architecture or central authority coordinating the communication. 
We first formalize the topological prerequisites for this, and then adapt the 
semantic symmetry requirement to our setting. 

Definition 3.3. A peer-to-peer network is a communication graph G = {V ,E) 
with at least two vertices (also called nodes) such that 

(i) G is strongly connected, 

(ii) G is directly connected, and 

(iii) we have E^'' \ {id} ^ 0. 

In this definition, (i) says that each node has the possibility to contact (at 
least indirectly) any other node, reflecting the fact that there are no prede- 
termined client/server roles; (ii) ensures that all pairs of nodes have a direct 
connection at least in one direction, without which pairwise synchronization by 
definition would be impossible; and (iii) requires a kind of symmetry in the 
network. This last item is implied by the more intuitive requirement that there 
be some a e Y,q with only one orbit, i.e. an automorphism relating all nodes to 
each other and thus making sure that they are topologically on an equal footing. 
The requirement we use is less restrictive and suffices for our purposes. 



Example 3.4. See Figure 4 for two examples of peer-to-peer networks. 



11 



We will consider extensions of a peer-to-peer network which we will consider 
in order to allow for helper processes while preserving the symmetry inherent 
in the network. The intuitive background for this kind of extensions is that we 
view the peers, i.e. the nodes of the original network, as processors each running 
a main process, while the added nodes can be thought of as helper processes 
running on the same processor as their respective main process. Communication 
connections between processors are physically given, while inside a processor 
they can be created as necessary. 

Definition 3.5. Let G — {V , E) he a, peer-to-peer network, then G' — {V, E') 
is a symmetry-preserving extension of G iff there is a collection {Sv\y^v parti- 
tioning V' such that 

(i) for all ?; e we have v € S^; 

(ii) all ?; G V and v' (z Sy \ {v} are strongly connected (possibly via nodes 

^ Sv)', 

(iii) for all v,w e V, E'n {Sy x S*™) 7^ iff {v, w) e E; 

(iv) there is, for each a e Sq, an automorphism G extending a such 
that tcr(6'„) = S^(y) for all w € 

Remark. In general, the collection {Sv}y^v may not be unique. When we refer 
to it, we implicitly fix an arbitrary one. 

Intuitively, these requirements are justified as follows: 

(i) Each Sv can be seen as the collection of processes running on the processor 
at vertex v , including its main process Py . 

(ii) The main process should be able to communicate (at least indirectly) in 
both ways with each helper process. 

(iii) While communication links within one processor can be created freely, 
links between processes on different processors are only possible if there 
is a physical connection, that is a connection in the original peer-to-peer 
network; also, if there was a connection in the original network, then there 
should be one in the extension in order to preserve the network structure. 

(iv) Lastly, to preserve symmetry, each automorphism of the original network 
must have an extension which maps all helper processes to the same pro- 
cessor as their corresponding main process. 



Example 3.6. See Figure 8 for an example of a symmetry-preserving exten- 



sion. Note that condition of Definition 3.5 is liberal enough to allow helper 



processes to communicate directly with processes running on other processors, 
and indeed, e.g. 2c has a link to 3. It also allows several communication links 
on one physical connection, reflected by the fact that there are three links con- 
necting 5*2 to 5*3. Furthermore, (|ii| is satisfied in that the main processes are 
strongly connected with their helper processes, although, as e.g. with 2 and 2c, 
indirectly and through processes on other processors. 
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(a) Symmetry-preserving extension of the net- (b) Extended automorphism as required by 
work from [Figure ^[^ajj [Definition 3.5[ 



Figure 8: A symmetry-preserving extension (illustrating Definition 3.5). 



We will need the following immediate fact later on. 

Fact 3.7. As a direct consequence of Definitions [X^l and [X5| any symmetry- 
preserving extension of a peer-to-peer network is strongly connected. 

3.3 C-symmetry 

Corresponding to the intuition of processors with main and helper processes, 
we weaken [Definition 2.8| such that only automorphisms are considered which 
keep the set of main processes invariant and map helper processes to the same 
processor as their main process. There are cases where the main processor 
otherwise would be required to run the same program as some helper process. 

Definition 3.8 ( G-symmetry) . A system V whose communication graph G' is 
a symmetry-preserving extension of some peer-to-peer network G — {V ,E) is 
called G -symmetric if [Definition 2.8| holds with respect to those automorphisms 
a € Yic' satisfying, for all ii G 

(i) (t{V)^ V and 

(ii) a{Sy) = 

This is weaker than [Definition 2.8[ since there we require the condition to 
hold for all automorphisms. 



Example 3.9. To illustrate the impact of G-symmetry, Figure 9 shows a net- 
work G and an extension where symmetry relates all processes which each other. 
G-symmetry disregards the automorphism which causes this and considers only 
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those which keep the set of main processes invariant, i.e. the nodes of the 
original network G, thus allowing them to behave differently from the helper 
processes. 

Note that the main processes do not have a direct connection in the exten- 
sion, which is permitted by [Definition 3.5| although it will obviously make it 
impossible for them to synchronize. 



(1> K2) 

(a) Network G 




Si 

(b) Extension of G and an au- 
tomorphism mixing main and 
helper processes 




^1 

(c) Extension of G and the only 
automorphism taken into ac- 
count by G-symmetry 



Figure 9: A network G and an extension which has an automorphism mixing 
main and helper processes, disregarded by G-symmetry. 



Now that we have formalized peer-to-peer networks and the symmetry-pre- 
serving extensions which we want to allow, we are ready to prove positive and 
negative results about feasibility of pairwise synchronization. 



4 Results 

4.1 Positive Results 



First, we state the intuition foreshadowed in Section 3.1 namely that CSPi^, 



does allow for symmetric pairwise synchronization m peer-to-peer networks 

Theorem 4.1. Let G — {V , E) be a peer-to-peer network. Then G admits a 
symmetric system pairwise synchronizing V in C'SPi/o- 



Proof. A system which at each vertex v & V runs the program shown in Fig- 



ure 10 is symmetric and pairwise synchronizes V . Each process simply waits for 
each other process in parallel to become ready to send or receive a dummy mes- 
sage, and exits once a message has been exchanged with each other process. □ 

As a second result, we show that by dropping the topological symmetry 
requirement for peer-to-peer networks, under certain conditions we can achieve 
symmetric pairwise synchronizing systems even in CSPin- 

Theorem 4.2. Let G = {V , E) be a network satisfying only the first two condi- 



tions of Definition 3.3. i.e. G is strongly connected and directly connected. Lf G 



admits a symmetric electoral system and there is some vertex v ^ V such that 
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for each w G V do syncu, := false 
W,n {w e F I {w,v) e E} 

Wont ■.^{weV\ {V,W) e E} 



we Win 



„ A P„ ! 



synCu 
syncn 



true 
true 



Figure 10: The program run at each vertex v (£ V in the proof of Theorem 4.1 



{v,a) e E and {a,v) G E for all a E V, then G admits a symmetric system 
pairwise synchronizing V in CSPm- 

Proof. First, the electoral system is run to determine a temporary leader v'. 
When the election has terminated, v' chooses a coordinator v that is directly 
and in both directions connected to all other vertices, and broadcasts its name. 
Broadcasting can be done by choosing a spanning tree and transmitting the 
broadcast information together with the definition of the tree along the tree, 
as in the proof of [3, Theorem 2.3.1, Phase 2] (the strong connectivity which is 
required there holds for G by assumption). After termination of this phase, the 
other processes each send one message to v and then wait to receive commands 
from V according to which they perform direct communications with each other, 
while V receives one message from each other process and uses the obtained order 
to send out the commands. 

This can be achieved by running the following program at each process Pc, 
c V , after having elected the temporary leader v': 

• If c = v', choose some v d V such that [v, a) E E and (a, v) E E for all 
a E V, and broadcast the name v; otherwise obtain the broadcast name. 

• If c — v. 

— Receive exactly one message from each other process in some non- 
deterministic order and remember the order: 

W := V\{v} 

for each w E W do order ^ := — 1 
count := 
*[ l^i«e W order^ ~ —1 /\ P^l x ^ 

order w '■— count 

count :— count + 1 

] 

— Issue commands to the other processes according to the obtained 
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order: 

for each a,b £ V \ {v}, a ^ b do 

[ ordeVa < orderi, A (a, &) G i? ^ 
Pa ! "contact &" 
Pt ! "listen to a" 

□ ordeVa > orderi, W (a,b) ^ E ^ 

Ph ! "contact o" 
Pa ! "listen to &" 

] 

done 

otherwise (i.e. c ^ v): 

— Send dummy message to P„: 

— Execute the commands from v until one message has been exchanged 
with each other process: 

num :— \ V \{c, v}\ 
*[ num > A P„lm — > 

[ m — "contact w" — > P^ ! 

□ m = "listen to — > P^ ? x 

] 

num := nttm — 1 

] 

□ 



Example 4.3. See Figure iT] for an example of a network which admits a 



symmetric system pairwise synchronizing all its vertices in CSPin- The fact 
that the network admits a symmetric electoral system can be established as 
for [31 Fig. 4]. There the property is used that {1,2} and {3,4,5} are invariant 
under the network's automorphism group and the associated processes can thus 
behave differently; this property is not affected by the edges we have added 
(note that the edges between the lower nodes are only in one direction) . 




Figure 11: A network which by Theorem 4.2 admits a symmetric system pairwise 



synchronizing all its vertices in CSPin- Note that the connections between 
vertices 3, 4 and 5 are only in one direction. 

This result could be generalized, e.g. by weakening the conditions on v and 
taking care that the commands will reach the nodes at least indirectly. Since 
our main focus is the negative result, we will not pursue this further. 
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4.2 Negative Result 

In the following we will establish the main result saying that, even if we extend a 
peer-to-peer network G by helper processes (in a symmetry-preserving way), it 
is not possible to obtain a network which admits a G-symmctric system pairwise 
synchronizing the nodes of G in CSPtn- 

To this end, we derive a contradiction with Theorem 2.12| by proving the 



following intermediate steps (let G denote a peer-to-peer network and G' a 
symmetry-preserving extension) : 



Lemma 4.4 If G' admits a G-symmetric system pairwise synchronizing 
the nodes of G in CSPin, it admits a G-symmctric electoral system in 

CSPin- 



Lemma 4.5 G' has a non-trivial well-balanced automorphism taken into 



account by G-symmetry (i.e. satisfying the two conditions of Dcfinl 



tion 3.1 



Lemma 4.7 We can extend G' in such a way that there exists a non- 
trivial well-balanced automorphism (derived from the previous result), G- 
symmetry is reduced to symmetry, and admittance of an electoral system 
is preserved. 

Lemma 4.4. // some symmetry-preserving extension of a peer-to-peer network 
G — {V , E) admits a G-symmetric system pairwise synchronizing V in CSPin, 
then it admits a G-symmetric electoral system in CSPin- 

Proof. The following steps describe the desired electoral system (using the fact 
that under G-symmetry processes of nodes £ V may behave differently from 
those of nodes ^ V): 

• All processes run the assumed G-symmetric pairwise synchronization pro- 
gram, with the following modification for the processes in V := {P^ \ v S 
V} (intuitively this can be seen as a kind of knockout tournament, similar 
to the proof of [2J Theorem 4.1.2, Phase 1]): 

— Each of these processes has an additional local variable winning ini- 
tialized to true. 

— After each communication statement with some other P Cz V, insert 
a second communication statement with P in the same direction: 

* If it was a "send" statement, send the value of winning. 

* If it was a "receive" statement, receive a Boolean value, and if 
the received value is true, set winning to false. 

Note that, since the program pairwise synchronizes V , each pair of pro- 
cesses associated to vertices in V has had a direct communication at the 
end of execution, and thus there is exactly one process in the whole system 
which has a local variable winning containing true. 
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• After the synchronization program terminates the processes check their 
local variable winning. The unique process that still has value true de- 
clares itself the leader and broadcasts its name; all processes set their 
variable leader accordingly. As in the proof of [Theorem 4.2[ broadcast- 
ing can be done using a spanning tree. The required strong connectivity 
is guaranteed by [Fact SJ] □ 

Lemma 4.5. For any symmetry-preserving extension G' = { V , E') of a peer- 
to-peer network G = {V , E), there is a' G S^.* \ {id} such that a'{ V) = V and 
a'{Su) = S„,(^u) for all u e V. 



Proof. Take an arbitrary a G S^'' \ jid j (exists by Definition 3.3) and let t, to 
save indices, denote the io- required by Definition 3.5 If i e S^,? \ {id} we are 



done; otherwise we can construct a suitable a' from t by "slicing" orbits of t 
which are larger than the period of a into orbits of that size. See [Example 4.6| 
for an illustration of the following proof. 

Let p denote the period of a and pick an arbitrary v Cz V. For simplic- 
ity, we assume that a has only one orbit; if it has several, the proof extends 
straightforwardly by picking one v from each orbit and proceeding with them 
in parallel. 

For all M € S'u let := 1 0^1 and note that for all < S we have pt = Pu, 
and Pu ^ P since l maps each Sy to ^'^■(t,) and these sets are pairwise disjoint. 
We define a' : V ^ V as follows: 



a'{u) 



lP--p+^{u) Hue Sy 
l{u) otherwise. 



Now we can show that 



(t'( V) = V , a' ^ id: Follows from l \v— c and py — p and thus a' \v— c 
(where / \x denotes the restriction of a function / to the domain X) 



a' e Sg'^ With ( pvf| from Definition 3.5 we obtain that, for u £ Sy 



Pu 

must be a multiple of p, and cr'(0^ n 5*^,) — l{0'^ H Sy), thus a' is a 
permutation of V since l is one. Furthermore, for t,u G 5*1,, we have 
^p*(pu-i)(i) = t and tP"(P'-i)(M) u and therefore 

{a'it),a'{u)) = {iP<-P+'{t),LP"-P+\u)) 

^ {t,P'P"-P+'^{t),iP'P"-P+^{u)) , 

thus a' also inherits edge-preservation from t. 

• a'{Su) = Scr'(u)i cr' well-balanced: The above-mentioned fact that for 
all u £ Sy we have a'{0!^^ H Sy) — l{0^ (1 Sy), together with (liv]) from 



Definition 3.5 implies that also cr'(S'u) — Sa-{u) for all u £ V. For all 
v' e V, wcll-balancedness of a and disjointncss of the 5*^ imply that 
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cr'9(ii') ^ v' for Q < q < p. On the other hand, since each orbit of a has 
size p and contains exactly one element from (namely we have that 



,(PU-P+1) + (P- 



for some u e 0,V 



□ 



Example 4.6. Consider the extended peer-to-peer network G" shown in Fig- 



ure 



a) with automorphism to- as required by Definition 3.5 We illustrate the 
construction of a' given in the proof of [Lemma 4.5 

We have p — 2 (the period of cr = i^- t{i,2})i and we pick vertex v = 2. For 
the elements of 5*2, we obtain p2 ~ p — 2 and p2a = P2b = P2c = 6 since, e.g., 
= {2a, la, 2c, 16,26, Ic}. Thus a' is defined as follows: 



a'{u) 



l{u) if m = 2 

L^U) ifMeS'2\{2} 

l{u) if u £ Si . 



This cr' is depicted in Figure l^Kb)[ All orbits have the same cardinality, 
namely 2, and the remaining claims of [Lemma 4.5| are also satisfied. 




(a) La as required by Definition 3.5 




(b) a' constructed from to- as in Lemma 4.5 



Figure 12: An extended peer-to-peer network G' illustrating 



Lemma 4.5 



Lemma 4.7. Any symmetry-preserving extension G' — {V',E') of a peer-to- 
peer network G = {V , E) can be extended to a network H such that 

(i) Sf* \ {id} ^ 0, and 

(ii) if G' admits a G -symmetric electoral syst em in CSPin, 
then H admits a symmetric electoral system in CSPin- 

Proof. The idea is to add an "identifying structure" to all elements of V , which 
forces all automorphisms to keep V invariant and map the 5"^ to each other 
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correspondingly (see Figure 13 1. Formally, let K = \V'\ and, denoting the 



inserted vertices by z.^., for each v € V let 

K 



fc=i 

),{iy^k+i,v)}U [J {{iv,K,w)} 



k=i weSy 

and let 

H (f'U U I,,E'(J U 



vev vev 
Now we can prove the two claims 

\ {id} with (t( V j = V anu cr^Ot, j = Ocr(v) 



i) Let a £ \ {id} with cr( V) = V and cr(5'„) = for all t; e F (such 



a (T exists by Lemma 4.5 1, then 

K 



aU U U{z„,fc^z.(.).fc}eS^*\{id} 



■ug V k=l 

(ii) _ff is still a symmetry-preserving extension of G via (straightforward) ex- 
tensions of the Sy. The discriminating construction (notably the fact that 
the vertices from V now are guaranteed to have more edges than any ver- 
tex not in V , but still the same number with respect to each other) has 
the effect that S^f consists only of extensions, as above, of those cr S Sg' 
for which a{V) — V and cr(S'„) = S^(^y) for all v G V. Thus, any G- 
symmetric system with communication graph _ff is a symmetric system 
with communication graph H . 

Additionally, the set of all iy^k is invariant under Y,h due to the distinctive 
structure of the /„ , thus the associated processes are allowed to differ from 
those of the remaining vertices. A symmetric electoral system in CSPin 
can thus be obtained by running the original G-symmetric electoral system 
on all members of G' and having each v £ V inform about the leader, 
while all iy^k simply wait for and transmit the leader information. □ 

Now we have gathered all prerequisites to prove our main result. 

Theorem 4.8. There is no symmetry-preserving extension of any peer-to-peer 
network G = {V , E) that admits a G-symmetric system pairwise synchronizing 
V m CSP^n- 

Proof. Assume there is such a symmetry-preserving extension G'. Then by 
[Lemma 4.4|it a lso admits a G-symmetric electoral system in CSPin- According 
there is then a network H with \ {id} ^ that admits a 



to 



Lemma 4.7 



symmetric electoral system in CSPin- This is a contradiction to [Theorem 2.12 



□ 
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Figure 13: The network from Figure 9 shown with an automorphism disre- 
garded by G-symmetry, and the extension given in Lemma 4.7 invahdating 
automorphisms of this kind shown with the only remaining automorphism. 



5 Conclusions 

We have provided a formal definition of peer-to-peer networks and adapted a 
semantic notion of symmetry for process systems communicating via such net- 
works. In this context, we have defined and investigated the existence of pairwise 
synchronizing systems, which are directly useful because they achieve synchro- 
nization, but also because they create common knowledge between processes. 
Focusing on two dialects of the CSP calculus, we have proved the existence 
of such systems in CSPi/g, as well as the impossibility of implementing them 
in CSPin, even allowing additional helper processes like buffers. We have also 
mentioned a recent extension to JCSP to show that, while CSPin is less complex 
and most commonly implemented, implementations of CSPi/o are feasible and 
do exist. 

A way to circumvent our impossibility result is to remove some requirements. 
For example, we have provided a construction for non-symmetric systems in 
CSPin- In general, if we give up the symmetry requirement, CSPi/o can be 
implemented in CSPin ^ P- 197]. 

Another way is to tweak the definition or the assumptions about common 
knowledge. Various possibilities are given in [TU]. By following the eager pro- 
tocol proposed there, common knowledge can eventually be attained, but the 
trade-off is an indefinite time span during which the knowledge states of the 
processes are inconsistent. This may not be an option, especially in systems 
which have to be able to act sensibly and rationally at any time. Alternatively, 
if messages are guaranteed to be delivered exactly after some fixed amount of 
time, common knowledge can also be achieved, but this may not be realistic 
in actual systems. Finally, possibilities to approximate common knowledge are 
described. Approximate common knowledge or finite mutual knowledge may 
suffice in settings where the impact decreases significantly as the depth of mu- 
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tual knowledge increases, see e.g. [25] . 

However, if one is interested in symmetric systems and exact common knowl- 
edge, as in the game-theoretical settings described in [Section then our 
results show that CSPi/o is a suitable formalism, while CSPin is insufficient. 
Already in the introducing paper the exclusion of output guards from CSP 
was recognized as reducing expressivity and being programmatically inconve- 
nient, and soon it was deemed technically not justified [HSllTj and removed in 
later versions of CSP [HI p. 227]. 

Some existing proposals for implementations of input and output guards and 
synchronous communication could be criticized for simply shifting the problems 
to a lower level, notably for not being symmetric themselves or for not even 
being strictly synchronous in real systems due to temporal imprecision [10] . 

However, it is often useful to abstract away from implementation issues on 
the high level of a process calculus or a programming language (see e.g. [HI 
Section 10]). For these reasons, we view our setting as an argument for imple- 
menting CSPi/o rather than CSPin- 
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